Microsoft Threat Intelligence has revealed a spate of financially motivated cyberattacks against universities across the United States. The threat actor, known as Storm-2657, is exploiting weak authentication as part of what experts are calling “payroll pirate” attacks, a scheme in which an attacker reroutes an employee’s salary into a bank account controlled by the attacker.
According to Microsoft, the group has been accessing the accounts of university employees by stealing their login credentials and multifactor authentication (MFA) codes. Once they accessed the account, they would have access to the human resources (HR) system, such as Workday, and then change the payroll information to redirect payments.
The campaign lasted for the first half of 2025 and primarily focused on universities; however, it raises questions for any organization using a cloud HR or payroll platform. Workday was the most common solution attacked, but Microsoft clarified that the attacks exploited human error and weak authentication, not an actual vulnerability in the Workday platform.
“These actors are financially motivated and rely on social engineering, not vulnerabilities in Workday,” said Microsoft in its follow-up analysis. “Organizations without phishing-resistant MFA continue to be at risk.”
Phishing Campaigns Masquerading as Campus Alerts
Microsoft’s investigation revealed that Storm-2657 used highly convincing phishing campaigns to gain initial access. The attackers crafted emails designed to mimic official university communications, tricking recipients into revealing credentials and MFA codes.
Since March 2025, Microsoft observed 11 compromised accounts across three universities, which were then used to send phishing emails to nearly 6,000 individuals at 25 other institutions. Some messages contained Google Docs links — a tactic that made detection more difficult in academic environments where such tools are widely used.
The phishing emails followed several recurring themes. Early campaigns carried alarming subject lines such as:
- “COVID-Like Case Reported — Check Your Contact Status”
- “Confirmed Case of Communicable Illness”
- “Faculty Compliance Notice – Classroom Misconduct Report”
These messages urged recipients to click links under the guise of checking exposure details or reviewing faculty reports. One campaign targeted 500 employees at a single university, yet only 10 percent flagged the message as suspicious.
In more recent attacks, Storm-2657 impersonated university officials or HR departments, sending emails about “compensation updates” or “benefits revisions.” Some even mentioned university presidents by name to appear authentic. Once a victim clicked the embedded link, they were directed to a fake login page where attackers harvested credentials and MFA tokens.
Hijacking Workday Accounts and Hiding the Evidence
After obtaining access, the attackers moved swiftly. They logged into victims’ email and Workday accounts using stolen credentials and created inbox rules to automatically delete notifications from Workday. This ensured that employees would not see alerts about changes to their payroll or bank details.
Microsoft found that the hackers then modified the “Payment Election” settings within Workday, updating bank account numbers to their own. These changes redirected future salary deposits to fraudulent accounts — a tactic that went unnoticed until paydays arrived.
To maintain long-term access, the threat actors also registered their own phone numbers as MFA devices on compromised profiles. This allowed them to bypass future authentication requests and continue accessing systems without alerting victims.
“The attackers were deliberate and methodical,” Microsoft explained. “By setting up inbox rules and enrolling new MFA devices, they effectively erased traces of their intrusion.”
Payroll Pirates Are Exploiting Trust, Not Technology
The “payroll pirate” scheme is a variant of business email compromise (BEC), a tactic that continues to cause major financial damage globally. According to the FBI’s 2024 Internet Crime Report, BEC schemes resulted in over $2 billion in losses last year alone.
Unlike traditional ransomware attacks, BEC operations rely on deception and social engineering rather than malware. Criminals manipulate employees into sending money or credentials through emails that look legitimate.
Microsoft’s findings highlight how academic institutions, often balancing open communication with limited cybersecurity budgets, are becoming soft targets for such financially driven operations.
Microsoft’s Response and Recommendations
Microsoft said it has notified several affected universities and shared details of Storm-2657’s tactics, techniques, and procedures to help organizations strengthen their defenses. The company also worked with Workday to issue mitigation guidance for customers.
Workday, in a statement, emphasized the importance of enabling strong authentication measures.
“We encourage customers to use phishing-resistant MFA and add extra verification steps for sensitive actions like payroll updates,” a Workday spokesperson said.
Microsoft recommends that organizations adopt passwordless authentication methods such as FIDO2 security keys, Windows Hello for Business, or Microsoft Authenticator passkeys. These measures can significantly reduce the risk of credential theft.
Security teams are also urged to monitor for unusual changes in payroll or inbox rules, particularly those involving deletions of messages from HR systems. If any suspicious activity is detected, affected accounts should have credentials reset immediately, unauthorized MFA devices removed, and payroll configurations restored.
